New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Splunk SPLK-2003 Splunk SOAR Certified Automation Developer Exam Exam Practice Test

Page: 1 / 11
Total 110 questions

Splunk SOAR Certified Automation Developer Exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

What is the default embedded search engine used by Phantom?

Options:

A.

Embedded Splunk search engine.

B.

Embedded Phantom search engine.

C.

Embedded Elastic search engine.

D.

Embedded Django search engine.

Question 2

How does a user determine which app actions are available?

Options:

A.

Add an action block to a playbook canvas area.

B.

Search the Apps category in the global search field.

C.

From the Apps menu, click the supported actions dropdown for each app.

D.

In the visual playbook editor, click Active and click the Available App Actions dropdown.

Question 3

Why is it good playbook design to create smaller and more focused playbooks? (select all that apply)

Options:

A.

Reduces amount of playbook data stored in each repo.

B.

Reduce large complex playbooks which become difficult to maintain.

C.

Encourages code reuse in a more compartmentalized form.

D.

To avoid duplication of code across multiple playbooks.

Question 4

Under Asset Ingestion Settings, how many labels must be applied when configuring an asset?

Options:

A.

Labels are not configured under Asset Ingestion Settings.

B.

One.

C.

One or more.

D.

Zero or more.

Question 5

Where can the Splunk App for SOAR Export be downloaded from?

Options:

A.

GitHub and Splunkbase.

B.

SOAR Community and GitHub.

C.

Splunkbase and SOAR Community.

D.

Splunk Answers and Splunkbase.

Question 6

Which of the following are examples of things commonly done with the Phantom REST APP

Options:

A.

Use Django queries; use curl to create a container and add artifacts to it; remove temporary lists.

B.

Use Django queries; use Docker to create a container and add artifacts to it; remove temporary lists.

C.

Use Django queries; use curl to create a container and add artifacts to it; add action blocks.

D.

Use SQL queries; use curl to create a container and add artifacts to it; remove temporary lists.

Question 7

An active playbook can be configured to operate on all containers that share which attribute?

Options:

A.

Artifact

B.

Label

C.

Tag

D.

Severity

Question 8

When writing a custom function that uses regex to extract the domain name from a URL, a user wants to create a new artifact for the extracted domain. Which of the following Python API calls will create a new artifact?

Options:

A.

phantom.new_artifact ()

B.

phantom. update ()

C.

phantom.create_artifact ()

D.

phantom.add_artifact ()

Question 9

What is the default log level for system health debug logs?

Options:

A.

INFO

B.

WARN

C.

ERROR

D.

DEBUG

Question 10

Which of the following are the steps required to complete a full backup of a Splunk Phantom deployment' Assume the commands are executed from /opt/phantom/bin and that no other backups have been made.

Options:

A.

On the command line enter: rode sudo python ibackup.pyc --setup, then audo phenv python ibackup.pyc --backup.

B.

On the command line enter: sudo phenv python ibackup.pyc --backup —backup-type full, then sudo phenv python ibackup.pyc --setup.

C.

Within the UI: Select from the main menu Administration > System Health > Backup.

D.

Within the UI: Select from the main menu Administration > Product Settings > Backup.

Question 11

In a playbook, more than one Action block can be active at one time. What is this called?

Options:

A.

Serial Processing

B.

Parallel Processing

C.

Multithreaded Processing

D.

Juggle Processing

Question 12

When configuring a Splunk asset for SOAR to connect to a Splunk Cloud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible?

Options:

A.

Install a second Splunk app and configure the query in the second app.

B.

Configure the second query in the Splunk App for SOAR Export.

C.

Enter the two queries in the asset as comma separated values.

D.

Configure a second Splunk asset with the second query.

Question 13

When working with complex data paths, which operator is used to access a sub-element inside another element?

Options:

A.

!(pipe)

B.

*(asterisk)

C.

:(colon)

D.

.(dot)

Question 14

What is the simplest way to pass data between playbooks?

Options:

A.

Action results

B.

File system

C.

Artifacts

D.

KV Store

Question 15

Is it possible to import external Python libraries such as the time module?

Options:

A.

No.

B.

No, but this can be changed by setting the proper permissions.

C.

Yes, in the global block.

D.

Yes. from a drop-down menu.

Question 16

In addition to full backups. Phantom supports what other backup type using backup?

Options:

A.

Snapshot

B.

Incremental

C.

Partial

D.

Differential

Question 17

Which Phantom VPE Nock S used to add information to custom lists?

Options:

A.

Action blocks

B.

Filter blocks

C.

API blocks

D.

Decision blocks

Question 18

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?

Options:

A.

Make sure the Execute Playbook capability is removed from all roles except admin.

B.

Place restricted playbooks in a second source repository that has restricted access.

C.

Add a filter block to all restricted playbooks that filters for runRole = "Admin".

D.

Add a tag with restricted access to the restricted playbooks.

Question 19

Without customizing container status within Phantom, what are the three types of status for a container?

Options:

A.

New, In Progress, Closed

B.

Low, Medium, High

C.

Mew, Open, Resolved

D.

Low, Medium, Critical

Question 20

A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit which of the following data to pass forward to the next block?

Options:

A.

Null IP addresses

B.

Non-null IP addresses

C.

Non-null destinationAddresses

D.

Null values

Question 21

Where in SOAR can a user view the JSON data for a container?

Options:

A.

In the analyst queue.

B.

On the Investigation page.

C.

In the data ingestion display.

D.

In the audit log.

Question 22

Two action blocks, geolocate_ip 1 and file_reputation_2, are connected to a decision block. Which of the following is a correct configuration for making a decision on the action results from one of the given blocks?

Options:

A.

B.

C.

D.

Question 23

Which of the following can be edited or deleted in the Investigation page?

Options:

A.

Action results

B.

Comments

C.

Approval records

D.

Artifact values

Question 24

When the Splunk App for SOAR Export executes a Splunk search, which activities are completed?

Options:

A.

CEF fields are mapped to CIM flelds and a container is created on the SOAR server.

B.

CIM fields are mapped to CEF fields and a container is created on the SOAR server.

C.

CEF fields are mapped to CIM and a container is created on the Splunk server.

D.

CIM fields are mapped to CEF and a container is created on the Splunk server.

Question 25

On a multi-tenant Phantom server, what is the default tenant's ID?

Options:

A.

0

B.

Default

C.

1

D.

*

Question 26

Which of the following queries would return all artifacts that contain a SHA1 file hash?

Options:

A.

https:// /rest/artifact?_filter_cef_md5_insull=false

B.

https:// /rest/artifact?_filter_cef_Shal_contains=””

C.

https:// /rest/artifact?_filter_cef_shal_insull=False

D.

https:// /rest/artifact?_filter_shal__insull=False

Question 27

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of this behavior?

Options:

A.

Synchronous execution has not been configured.

B.

The first playbook is performing poorly.

C.

The sleep option for the second playbook is not set to a long enough interval.

D.

Incorrect join configuration on the second playbook.

Question 28

When configuring a Splunk asset for Phantom to connect to a SplunkC loud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible

Options:

A.

Enter the two queries in the asset as comma separated values.

B.

Configure the second query in the Phantom app for Splunk.

C.

Install a second Splunk app and configure the query in the second app.

D.

Configure a second Splunk asset with the second query.

Question 29

How can parent and child playbooks pass information to each other?

Options:

A.

The parent can pass arguments to the child when called, and the child can return values from the end block.

B.

The parent can pass arguments to the child when called, but the child can only pass values back as new artifacts in the event.

C.

The parent must create a new artifact in the event named arg_xxx, and the child must return values by creating artifacts with the naming convention return_xxx.

D.

The parent must create a new artifact in the event named return_xxx, and the child must return values by creating artifacts with the naming convention arg_xxx.

Question 30

Which of the following can be configured in the ROl Settings?

Options:

A.

Analyst hours per month.

B.

Time lost.

C.

Number of full time employees (FTEs).

D.

Annual analyst salary.

Question 31

What metrics can be seen from the System Health Display? (select all that apply)

Options:

A.

Playbook Usage

B.

Memory Usage

C.

Disk Usage

D.

Load Average

Question 32

How is a Django filter query performed?

Options:

A.

By adding parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains="sumo".

B.

phantom/rest/search/app/contains/"sumo"

C.

Browse to the Django Filter Query Editor in the Administration panel.

D.

Install the SOAR Django App first, then configure the search query in the App editor.

Question 33

During a second test of a playbook, a user receives an error that states: 'an empty parameters list was passed to phantom.act()." What does this indicate?

Options:

A.

The container has artifacts not parameters.

B.

The playbook is using an incorrect container.

C.

The playbook debugger's scope is set to new.

D.

The playbook debugger's scope is set to all.

Page: 1 / 11
Total 110 questions